Facebook PHP SDK - getLoginUrl() - state value

7
votes

I am using the PHP SDK getLoginUrl() function which works perfectly to log the user in. Once the user is redirected back to my page, the URL can come in two forms, see in the following link subsection 3: http://developers.facebook.com/docs/authentication/server-side/

Part of the return URL is a ?state= value. This value is supposed to be used to prevent Cross Site Request Forgery: http://developers.facebook.com/docs/reference/dialogs/oauth/

Though, using the getLoginUrl() method I can never set a state value as it is not one of the parameters: http://developers.facebook.com/docs/reference/php/facebook-getLoginUrl/

So how can I utilize the state-value to log a user into facebook and prevent CSRF?

1
facebookfacebook-php-sdkstatecsrf
I've been wondering this too. Something I'm doing now goes something like this: (I'm sure theres a better more correct way) $loginUrl = $facebook->getLoginUrl(array('scope' => 'email', 'redirect_uri' => FACEBOOK_REDIRECT_URL)); $_SESSION['state'] = $_SESSION['fb_'.FACEBOOK_APP_ID.'_state']; . Then when authenticating after the redirect back to your site: if($_SESSION['state'] == $_REQUEST['state']) { //not CSRF } - uguMark

1 Answers

3
votes

So how can I utilize the state-value to log a user into facebook and prevent CSRF?

This is being automatically handled by the Facebook PHP SDK. If you were about to write your own API calls to Facebook, you would need to submit the state manually (if desired) as per Facebook's OAuth documentation.

When you create a login url with BaseFacebook::getLoginUrl(), the first thing the function does is to establish CSRF token state1, which creates a hash using PHP's core mt_rand(), uniqid() and md5() functions and also stores the value as a session variable.

When the user gets redirected back to your page the, FBSDK checks if the submitted state matches the state value in the session. If the values indeed match, the state is cleared from the Facebook object and from the session, so all subsequent getLoginUrl() requests would get a new state variable.2

Theoretically you could use your own state value with FBSDK by writing it to fb_<your_app_id>_state session variable before constructing the Facebook-object, as the BaseFacebook's constructor and establishCSRFTokenState() both check if the state already exists in the session.

But that would probably introduce more complexity than is necessary.

 

  1. see BaseFacebook::establishCSRFTokenState()
  2. see BaseFacebook::getCode()